Skip to content

Commit

Permalink
[certificates] Introduce cluster certs, and useSystemCa switch
Browse files Browse the repository at this point in the history
  • Loading branch information
Johan De Wit committed Feb 20, 2024
1 parent fb4bfe0 commit 4a34af6
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 10 deletions.
2 changes: 1 addition & 1 deletion lib/puppet/provider/mongodb.rb
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ def self.mongo_conf
config = YAML.load_file(mongod_conf_file) || {}
mongosh_config = {}
mongosh_config = YAML.load_file("#{Facter.value(:root_home)}/.mongosh.yaml") if File.file?("#{Facter.value(:root_home)}/.mongosh.yaml")
# determine if we need the tls for connecion or client
# determine if we need tls for the admin user
if mongosh_config['admin'] && mongosh_config['admin']['tlsCertificateKeyFile']
tlscert = mongosh_config['admin']['tlsCertificateKeyFile']
auth_mech = mongosh_config['admin']['auth_mechanism'] if mongosh_config['admin']['auth_mechanism']
Expand Down
36 changes: 29 additions & 7 deletions manifests/server.pp
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,21 @@
#
# @param tls_mode
# Defines if TLS is used for all network connections. Allowed values are 'requireTLS', 'preferTLS' or 'allowTLS'.
#
# @param tls_use_system_ca
# Use the system-wide CA certificate store when connecting to a TLS-enabled server.
#
# @param tls_cluster_key
# File that contains the x.509 certificate-key file for membership authentication for the cluster or replica set.
#
# @param tls_cluster_ca
# file that contains the root certificate chain from the Certificate Authority used to validate the certificate
# presented by a client establishing a connection.
#
# @param tls_invalid_certificates
# Enable or disable the validation checks for TLS/SSL certificates on other servers in the cluster and allows
# the use of invalid certificates.
#
# @param admin_password_hash
# Hashed password. Hex encoded md5 hash of mongodb password.
#
Expand All @@ -316,7 +331,8 @@
# Administrator authentication mechanism. scram_sha_256 password synchronization verification is not supported.
#
# @param supported_auth_mechanisms
# Set the supported authentication mechanisms that the mmongoserver will support. Is set, make sure the $admin_auth_mechanism is also included.
# Set the supported authentication mechanisms that the mmongoserver will support. Is set, make sure the
# $admin_auth_mechanism is also included.
#
# @param admin_tls_key
# Filepath of the administrators x509 certificate. Its the user of this class that needs to manage this certificate.
Expand Down Expand Up @@ -399,18 +415,24 @@
$config_content = undef,
Optional[String] $config_template = undef,
Optional[Hash] $config_data = undef,
Optional[Boolean] $ssl = undef,
Boolean $ssl = false,
Optional[Stdlib::Absolutepath] $ssl_key = undef,
Optional[Stdlib::Absolutepath] $ssl_ca = undef,
Boolean $ssl_weak_cert = false,
Boolean $ssl_invalid_hostnames = false,
Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'requireSSL',
Boolean $tls = false,
Enum['disabled', 'requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'disabled',
Boolean $tls = true,
Enum['disabled', 'requireTLS', 'preferTLS', 'allowTLS'] $tls_mode = 'requireTLS',
# cluster tls settings
Optional[Boolean] $tls_use_system_ca = undef,
Optional[Stdlib::Absolutepath] $tls_cluster_key = undef,
Optional[Stdlib::Absolutepath] $tls_cluster_ca = undef,
#client tls settings
Optional[Stdlib::Absolutepath] $tls_key = undef,
Optional[Stdlib::Absolutepath] $tls_ca = undef,
Boolean $tls_conn_without_cert = false,
Boolean $tls_invalid_hostnames = false,
Enum['requireTLS', 'preferTLS', 'allowTLS'] $tls_mode = 'requireTLS',
Boolean $tls_invalid_certificates = false,
Boolean $restart = $mongodb::params::restart,
Optional[String] $storage_engine = undef,
Boolean $create_admin = $mongodb::params::create_admin,
Expand Down Expand Up @@ -449,11 +471,11 @@
$admin_password
}

# using x509, we need the admin clent certificate in the parameter --tlsCertificateKeyFile
# Using x509, we need the admin client certificate in the parameter --tlsCertificateKeyFile
# there is no way where we can set this in neither the /etc/momgosh.yaml or the /etc/mongod.conf
# The mongodb provider reads in /etc/mongod.conf setParameters.authenticationMechanisms: MONGODB-X509 settings
# to determine that a client cert authentication is used. There is no setting to set the client cert to be used.
# so we store it in a file in roots home directory. (this is done in mongodb::server::config
# so we store it in a file in roots home directory. (this is done in mongodb::server::config)

if $create_admin and ($service_ensure == 'running' or $service_ensure == true) {
mongodb::db { 'admin':
Expand Down
21 changes: 19 additions & 2 deletions templates/mongodb.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -121,10 +121,22 @@ net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %>
<% end -%>
<% if @tls -%>
net.tls.mode: <%= @tls_mode %>
<% if @tls_key -%>
net.tls.certificateKeyFile: <%= @tls_key %>
<% end -%>
<% if @tls_cluster_key -%>
net.tls.ClusterFile = <%= @tls_cluster_key %>
<% end -%>
<% if ! @tls_use_system_ca -%>
<%# its this parameter or the explicit ca file location %>
<%# This options will be set in the setparameter section below %>
<% if @tls_ca -%>
net.tls.CAFile: <%= @tls_ca %>
<% end -%>
<% if @tls_cluster_ca -%>
net.tls.clusterCAFile: <%= @tls_ca %>
<% end -%>
<% end -%>
<% if @tls_conn_without_cert -%>
net.tls.allowConnectionsWithoutCertificates: <%= @tls_conn_without_cert %>
<% end -%>
Expand Down Expand Up @@ -167,13 +179,18 @@ setParameter:
<%= v %>
<% end -%>
<% end -%>
<% if @supported_auth_mechanisms -%>
<%# setParameters.auth... gives an error on startup status=2/INVALIDARGUMENT -%>
<% if @supported_auth_mechanisms || @tls_use_system_ca -%>
<% if !@set_parameter -%>
setParameter:
<% end -%>
<% if @supported_auth_mechanisms -%>
<%# setParameters.auth... gives an error on startup status=2/INVALIDARGUMENT -%>
authenticationMechanisms: <%= @supported_auth_mechanisms.join(',') %>
<% end -%>
<% if @tls_use_system_ca -%>
tlsUseSystemCA: true
<% end -%>
<% end -%>
<% if @config_data -%>
<% @config_data.each do |k,v| -%>
Expand Down

0 comments on commit 4a34af6

Please sign in to comment.